Why does this look like a hyper-visor; with a special back door to allow the anti-virus software to talk the hyper-visor software directly?

How long is it going to take before hackers figure out the communication between "McAfee Applications" and "McAfee DeepSAFE"? I'm guessing less than 1 week before it's all broken wide open, potentially with the end result being hackers taking control of the hyper-visor itself and creating a new class of super-root kits. Yay!

Are OS developers (Microsoft, Apple, Linux, etc) so incompetent that a whole new layer of bloat is actually necessary?

So many questions..Wed, 14 Sep 2011 16:54:00 GMTdonotreply@osnews.com (Brendan)CommentsRE: Just a hyper-visor?http://www.osnews.com/thread?489544
http://www.osnews.com/thread?489544

So many questions..

And as the 208th Ferengi Rule of Acquisition states, "Sometimes the only thing more dangerous than a question is an answer"Wed, 14 Sep 2011 17:25:00 GMTdonotreply@osnews.com (Stephen!)Commentspremature negativismhttp://www.osnews.com/thread?489552
http://www.osnews.com/thread?489552This strikes me as a whole new aspect of operating systems theory and implementation. I find this very interesting, and expect to see a slew of new, related products following.Wed, 14 Sep 2011 18:33:00 GMTdonotreply@osnews.com (AndrewZ)CommentsRE[2]: Just a hyper-visor?http://www.osnews.com/thread?489553
http://www.osnews.com/thread?489553did you mix up the ferengi with a sun tzu translation? because that doesn't sound very ferengi to meWed, 14 Sep 2011 18:34:00 GMTdonotreply@osnews.com (Luminair)CommentsRE: premature negativismhttp://www.osnews.com/thread?489565
http://www.osnews.com/thread?489565

This strikes me as a whole new aspect of operating systems theory and implementation.

Only if you never have heard about virtualization and hypervisors before.Wed, 14 Sep 2011 19:29:00 GMTdonotreply@osnews.com (Soulbender)CommentsFix the OS not the securityhttp://www.osnews.com/thread?489571
http://www.osnews.com/thread?489571Rootkits are a result of a flaw in the OS, not a flaw in the security suite.Wed, 14 Sep 2011 19:53:00 GMTdonotreply@osnews.com (jefro)CommentsRE[2]: premature negativismhttp://www.osnews.com/thread?489599
http://www.osnews.com/thread?489599Yeah. This doesn't seem like anything particularly new or really even that interesting. I refuse to have anything by McAfee or Nortons on my machines much less under the OS like that.Wed, 14 Sep 2011 23:36:00 GMTdonotreply@osnews.com (helf)CommentsRE: Fix the OS not the securityhttp://www.osnews.com/thread?489618
http://www.osnews.com/thread?489618

"'Rootkits are a result of a flaw in the person, not a flaw in the OS.'

FTFY"

The original quote was not broken.
If a non-trusted application is able to escalate it's privilege to root without user authorization, then it is a flaw in the OS. No matter what secure suite may be installed, an attack is only possible in the first place because of a flaw in the OS. A security suite may help prevent attacks and clean up after them, but it's not an excuse to leave holes in the OS.

Of course there are trojan horse attacks which coerce the user into giving them root privileges, but then that is clearly not what this article is about.Thu, 15 Sep 2011 03:07:00 GMTdonotreply@osnews.com (Alfman)CommentsRE[2]: premature negativismhttp://www.osnews.com/thread?489629
http://www.osnews.com/thread?489629Soulbender,

"Only if you never have heard about virtualization and hypervisors before."

Of course virtualization is not new, but I wonder if it's using virtualization at all. It could be implemented using SMM (system management mode), which was available since the pentium era. SMM is not typically available to normal operating systems, only the bios.

Examples of it's use is putting the system to sleep and handling some special laptop buttons. SMM enables the bios to handle these without any consideration of OS compatibility.

As I have no idea what McAfee Deepsafe actually does this is pure speculation. My first thought was virtualization also.Edited 2011-09-15 03:26 UTCThu, 15 Sep 2011 03:25:00 GMTdonotreply@osnews.com (Alfman)CommentsRE[3]: premature negativismhttp://www.osnews.com/thread?489632
http://www.osnews.com/thread?489632Hi,

Virtualization isn't new, but normally when virtualization is used for security it's used as a sandbox (e.g. to protect the host from the guest). What is new is using virtualization to protect a guest from itself.

It could be implemented using SMM (system management mode), which was available since the pentium era. SMM is not typically available to normal operating systems, only the bios.

I can almost guarantee "DeepSAFE" isn't using SMM. SMM is hidden in a special area of RAM (often underneath the legacy video display area) and then locked via. the chipset to prevent access; and even if you can modify it (due to firmware manufacturer's failure) you'd need different code for every different motherboard. For both of these reasons it's a massive nightmare to use for anything (except its intended purpose).

You are probably right, but I thought it worth mentioning. The SMM is the right place to put things with oversight over the running OS, however it's not practical from a generic solution standpoint.

Assuming DeepSAFE does run the OS under a virtual machine, does that prevent the real OS from running virtual machines recursively (last I read this was not possible)? Does DeepSAFE actually emulate hardware, or do the real OS drivers have direct access to the hardware?

If DeepSAFE virtualizes hardware, this means all your hardware will need to be compatible with DeepSAFE, and there will be a performance penalty.

If DeepSAFE passes through OS control to hardware unchanged, then it implies that a rootkit might escalate it's control through hardware. For example, it might disable DeepSAFE by accessing the hard disk directly. Or it might use a video bitblt operation to r/w ram in the host.

SMM would be much more secure in this regard since it is inaccessible even to OS developers.Thu, 15 Sep 2011 05:46:00 GMTdonotreply@osnews.com (Alfman)CommentsRE[4]: premature negativismhttp://www.osnews.com/thread?489643
http://www.osnews.com/thread?489643

and even if you can modify it (due to firmware manufacturer's failure) you'd need different code for every different motherboard. For both of these reasons it's a massive nightmare to use for anything (except its intended purpose).

I guess the intent is to deliver DeepFried (err.. DeepSafe) with the board (remember McAfee is part of Intel now). And SMM code isn't _that_ mainboard specific, either. At least it doesn't have to be.

With coreboot, we split the SMM code into chipset specific, board specific and generic code (though there's few generic code right now).
I guess a "malware scanner" would consist of a large generic chunk with tiny hooks to get it to run on each chipset (with no regard for board specifics)Thu, 15 Sep 2011 06:20:00 GMTdonotreply@osnews.com (pgeorgi)CommentsRE[5]: premature negativismhttp://www.osnews.com/thread?489656
http://www.osnews.com/thread?489656pgeorgi,

I've always had an itch to toy with the bios code, but never had the courage to do it and risk my motherboard. Writing bootloaders is in my expertise, and I know the bios is within reach, but as I don't have source code for my bios I have no starting point. I've researched the OSS bios projects, but I never knew if they'd be compatible.

My interest wouldn't lie in initializing the hardware myself, but rather continuing where the bios leaves off (and before the bios chains off to the bootloader). I already have a small static distro which helps remotely manage the primary OS on the PC. This way, if the primary OS gets corrupted, I need only reboot the PC and the minidistro can automatically redeploy the main OS.

This works, however I've always wished that this remote access distro existed in the bios instead of being a circumventable bootloader.Thu, 15 Sep 2011 07:58:00 GMTdonotreply@osnews.com (Alfman)CommentsComment by rimzihttp://www.osnews.com/thread?489663
http://www.osnews.com/thread?489663If it's McAffee, then it's Intel. Yes, it's going to be implemented, and it's going to be implemented soon and it's going to be forced into Intel platforms.

Intel acquired McAffee in February this year.Thu, 15 Sep 2011 08:31:00 GMTdonotreply@osnews.com (rimzi)CommentsIs it OS specific?http://www.osnews.com/thread?489798
http://www.osnews.com/thread?489798It's not clear to me from the original article if this is a "Windows only" thing (as McAfee stuff usually is) or if this is something that will benefit any OS that is installed on the computer.Fri, 16 Sep 2011 00:59:00 GMTdonotreply@osnews.com (ozonehole)CommentsRE: Comment by rimzihttp://www.osnews.com/thread?489819
http://www.osnews.com/thread?489819Can't wait for my bios (or EFI) to be replaced by a crapware UI from McAfee with a really nice graphical theme, but 0 useful functionnalities and some random hangs at startup.